Implementing Custom fail2ban Filter for phpMyAdmin Brute Force Protection: Regex Debugging and Jail Configuration


2 views

When implementing a custom fail2ban solution to protect phpMyAdmin from brute force attacks, I encountered an issue where the jail wasn't triggering despite properly logged authentication failures. The system recorded failed attempts in /var/log/phpmyadmin_auth.log with this format:

phpMyadmin login failed with username: root; ip: 192.168.1.50; url: http://somedomain.com/phpmyadmin/index.php
phpMyadmin login failed with username: ; ip: 192.168.1.50; url: http://192.168.1.48/phpmyadmin/index.php

My initial filter configuration in /etc/fail2ban/filter.d/phpmyadmin.conf was:

[Definition]
failregex = phpMyadmin login failed with username: .*; ip: ;

And the jail definition in /etc/fail2ban/jail.local:

[phpmyadmin]
enabled  = true
port     = http,https
filter   = phpmyadmin
action   = sendmail-whois[name=HTTP]
logpath  = /var/log/phpmyadmin_auth.log
maxretry = 6

To verify the filter was working, I used fail2ban-regex:

fail2ban-regex /var/log/phpmyadmin_auth.log /etc/fail2ban/filter.d/phpmyadmin.conf

This revealed that while the regex matched, the jail wasn't processing the logs. The key insights:

  • The jail wasn't appearing in fail2ban-client status output
  • No email notifications were being sent for phpmyadmin jail
  • Other jails (ssh, etc.) were functioning normally

After thorough testing, here's the working configuration:

# /etc/fail2ban/filter.d/phpmyadmin.conf
[Definition]
failregex = ^phpMyadmin login failed with username: .*; ip: ;
ignoreregex =

Enhanced jail configuration:

# /etc/fail2ban/jail.local
[phpmyadmin]
enabled   = true
port      = http,https
filter    = phpmyadmin
logpath   = /var/log/phpmyadmin_auth.log
maxretry  = 4
findtime  = 600
bantime   = 3600
action    = %(action_mwl)s

After making changes:

# Test the filter
sudo fail2ban-regex /var/log/phpmyadmin_auth.log /etc/fail2ban/filter.d/phpmyadmin.conf

# Check jail status
sudo fail2ban-client status phpmyadmin

# Reload configuration
sudo fail2ban-client reload phpmyadmin

For enhanced security, consider these additional measures:

# Whitelist trusted IPs
ignoreip = 192.168.1.0/24

# Multi-port protection
port = http,https,8080

# Chain management
chain = INPUT

# Advanced actions
action = iptables-multiport[name=phpmyadmin, port="http,https"]
         sendmail-whois[name=phpmyadmin, dest=admin@example.com]

Remember to test your configuration thoroughly before deploying in production environments. The fail2ban-regex tool is invaluable for validating your filter patterns against actual log entries.

After implementing custom logging for failed phpMyAdmin login attempts to /var/log/phpmyadmin_auth.log, I configured fail2ban with:

[phpmyadmin]
enabled  = true
port     = http,https
filter   = phpmyadmin
action   = sendmail-whois[name=HTTP]
logpath  = /var/log/phpmyadmin_auth.log
maxretry = 6

Yet the fail2ban service wasn't triggering alerts despite multiple failed login attempts being logged.

The initial filter regex in /etc/fail2ban/filter.d/phpmyadmin.conf:

[Definition]
failregex = phpMyadmin login failed with username: .*; ip: ;

While this looks correct at first glance, there were several potential issues:

  1. Case sensitivity in log messages ("phpMyadmin" vs "phpMyAdmin")
  2. Potential whitespace variations in log format
  3. Missing timestamp pattern matching in some configurations

Here's the fully tested configuration that works:

# /etc/fail2ban/filter.d/phpmyadmin.conf
[Definition]
failregex = ^phpMyadmin login failed with username: \S*; ip: ;
ignoreregex =

And the improved jail configuration:

# /etc/fail2ban/jail.local
[phpmyadmin]
enabled  = true
port     = http,https
filter   = phpmyadmin
action   = %(action_mwl)s
logpath  = /var/log/phpmyadmin_auth.log
maxretry = 4
findtime = 600
bantime  = 3600

To confirm your setup is working:

# Test the filter pattern
sudo fail2ban-regex /var/log/phpmyadmin_auth.log /etc/fail2ban/filter.d/phpmyadmin.conf

# Check jail status
sudo fail2ban-client status phpmyadmin

# Monitor in real-time
sudo tail -f /var/log/fail2ban.log

For enhanced security, consider these additions:

# Custom action to block at both network and application level
action = iptables-multiport[name=phpmyadmin, port="http,https"]
         sendmail-whois[name=phpmyadmin, dest=your@email.com]

# Whitelist your own IPs
ignoreip = 192.168.1.0/24 127.0.0.1/8

Ensure proper file permissions:

sudo chmod 644 /var/log/phpmyadmin_auth.log
sudo chown root:root /var/log/phpmyadmin_auth.log

Verify fail2ban is monitoring the log:

sudo lsof | grep phpmyadmin_auth.log